[c-nsp] Modern BGP peering border router and DDoS attack defense recommendations?

[joshua sahala]

On (09/06/05 11:53), Sam Crooks wrote:
> 
> I understand the issues with access port speed.  The app needs maybe 2
> T1.. I am trying to get a feel for the minimum access port speed to
> not fall over from a trivial DDoS attack

 a few owned hosts connected to cable/dsl can kill a t1 or two.  if
 someone wants to take you down, short of having an oc192/10gig uplink,
 they will probably succede - in the past week some friends have seen
 several ddos attacks of 1-4Gbps...point being, it is really really hard
 to get a connection big enough to stand up.  knowing how to get in touch
 with your isp and having a clueful provider who can help you mitigate it
 are more effective, and a lot less expensive.

> case to those who write the checks) and will otherwise balk at MRC of
> $20K/month (or more) for access, when $1k was fine for the past 5
> years and $60K for each border router when a $0k router (single SP
> managed router) does the job (from their quick perusal of the
> datasheet)... thus trying to get a feel for acceptable minimums for
> the border router.

 two other things to consider (just in case you didn't already have enough
 numbers/info to crunch :) ) is a private line/loop to the nearest
 IX...not sure where you are geographically, but you can probably get a
 decent sized link there and a cross-connect for a lot less per megabit
 than those t1s (if there is an IX fairly close); or, see if cogent could
 bring in a circuit - they are still selling well below costs, and it 
 would give you more bandwidth.  no reason to pay >$200Mb...

 a 37/3800 would probably work ok for this, though i'm not sure if the
 router would fall over or the circuit would fill up first under an attack

/joshua
-- 
A common mistake that people make when trying to design something 
completely foolproof is to underestimate the ingenuity of complete
fools.
	- Douglas Adams -